Sat. Dec 14th, 2019

Ethical Hacking Playground

hacking is curiosity

Download this tool and you win!!

3 min read
Learn an easy and exceptional way to automate open redirects for fun and profit $$$

Hi my name is z0id I am a security consultant at hackerone and bugcrowd. I would like to share with you how I found an interesting way to find open redirects with automation in python.

Story

I woke up one morning and I decided to find a creative way to look for unvalidated open redirects automatically so, I came up with a very good technique.

First let me explain my manual way of finding open redirects and we will go from there.

I start of by picking a target to do my recon phase on to find all sub domains I try to not focus on recon too much because I don’t really like it. Once I’ve collected all the sub domains I put them in burp for in scope items and start spidering away and mapping out the whole site.

I will then look for only 302 status codes in the response when I see that Location: / is getting reflected in the response header.

I start spraying away some payloads with intruder.

Once I get a hit I take a picture for proof and make a video of my findings and report it with a nice detail Proof Of Concept (PoC).

How To Automate This

I found a way to automate this with exceptional results.

I started of searching for ways to scrape bugcrowd and hackerone until I came across:

arkadiyt/bounty-targets-data
This repo contains data dumps of Hackerone and Bugcrowd scopes (i.e. the domains that are eligible for bug bounty…
github.com

I download this and played around with some subdomain scanning with assetfinder.

I used the following bash alias to scan for subdomains from all of bugcrowd and hackerone’s programs.

Run it like:

afinderlist wildcards.txt

Assetfinder bash alias

Then once the sub domain scan was finished I ran my tool that I have been developing against all the subdomains and I fuzzed the path for open redirects.

`

Results:

Open redirect scanner

Success Story:

I used this technique and I found an open redirect on VendHQ and it was a funny story because I reported it and they said it was out of scope so they put it as N/A. I was annoyed but I then moved on…… 3 days later….

They re-opened and they said:

Vendhq report approved

So, they accepted it and I was pretty much like:

They triage it and approved it I got some points unfortunately it was not a paid program but that does not matter. This pretty much made my day so I decided to ask if I could disclose it, and they allowed it.

Open Redirect VendHQ Disclosure

I hope my technique helps and I hope you enjoyed this post, try out my technique give it a shot and experiment.

Takeaway

I would like to end this post by saying that if you find an open redirect in a parameter, sometimes you might be lucky to chain it with Server-Side Request Forgery (SSRF) for more impact so it’s good practice to test for that if you come across an open redirect.

I hope you enjoyed my post Have a nice day and happy bughunting 🙂

View at Medium.com

Advertisements

Leave a Reply